I am trying to allow users to edit their biography and on the page I want the editable text from the DB to appear in the text box. How do I do this? Currently I have the text as a placeholder, but I want to make that editable.
Also for other, shorter fields like a users company name, when I insert the value as the placeholder (I don't want it to be editable like the bio so it doesn't resubmit every time), it can't display more than one word. How can I fix this.
Note: I wrote a function that only displays a value from SQL if there is one, else it displays a generic text, i.e. "bio" or "email"
Here is my function where $content is something like $_POST["bio"] and
<?php
function echo_content($content,$name)
{
if(!empty($content)){
echo($content);
}
else{
echo($name);
}
}
?>
Below is my html/php where $content is a value from SQL.
<div class="form-group">
<legend>Bio: </legend><textarea rows="4" cols="50" class="form-control" name="bio"
placeholder=<?php echo_content($content[0]["bio"],"Bio");?> type="text"/></textarea>
</div>
You're dumping a string into an html attribute, WITHOUT quotes, so basically you're producing:
<textarea ... placeholder=Four Score and Seven Years ago type="text">
so your placeholder is Four, and then there's a bunch of unknown/illegal attributes, Score, and, Seven etc...
Try
<textarea ... placeholder="<?php echo htmlspecialchars($var) ?>" ...>
instead. note the " and use of htmlspecialchars() to quote out html metachars.
In other words, you're basically suffering from a self-inflicted HTML injection wound.
Related
I have insert iframe value into my database using php. I need to display the inserted value in a textbox in another page. But while displaying the data it only displays the value till the first " in the iframe.
my code
<label>Location</label> <input type="text" style="resize:vertical" class="md-input" name="locationmap" class="md-input" value="<?php echo $comp_row['comp_locationmap']?>">
<i class="glyphicon glyphicon-pushpin form-control-feedback glyphiconalign"></i> </div>
The output textbox only displays "<iframe src= "
you need to escape the special characters!
you can do this by using htmlspecialchars() to convert only special characters to HTML entities
echo htmlspecialchars($comp_row['comp_locationmap']);
or htmlentities() to convert all characters to HTML entities
echo htmlentities($comp_row['comp_locationmap']);
I'm currently stuck trying to insert a particular type of user input into my MySQL database. I'm creating a form that allows the user to input Title, Requirements, Description, and PowerShell Script code into a database. I need to be able to then display the new input.
I started by converting all my $_POST data into htmlentities before inserting it and everything seemed to be working perfectly. All the short PowerShell scripts were inserting into the database and then displaying appropriately. But, when I tried to insert a long PowerShell script, it just left the table column blank.
// Create Insert SQL prepared statement
$insertSql = $pdoConn->prepare('INSERT INTO scripts (ScriptID, script_name, script_requirements, script_description, script_code) VALUES (NULL, :scriptName, :scriptRequirements, :scriptDescription, :scriptCode)');
// Create htmlentity variable
$htmlName = htmlentities($_POST['scriptName']);
$htmlReq = htmlentities($_POST['scriptRequirements']);
$htmlDesc = htmlentities($_POST['scriptDescription']);
$htmlCode = htmlentities($_POST['scriptCode']);
// Execute Insert SQL prepared statement
$insertSql->execute(array(
'scriptName' => $htmlName,
'scriptRequirements' => $htmlReq,
'scriptDescription' => $htmlDesc,
'scriptCode' => $htmlCode));
// Display success message and page return
echo "New script uploaded successfully.<br>";
echo "<a href='newScript.html'>Upload another script</a><br><br>";
// Create new query to display new data
$displaySql = $pdoConn->prepare('SELECT * FROM scripts ORDER BY ScriptID DESC LIMIT 1');
// Execute SELECT query and display results
$displaySql->execute();
foreach ($displaySql as $row) {
echo "<button class='accordion'>
<h3>".$row['script_name']."</h3>
</button>
<div class='panel'>
<p class='requirements-p'>Requirements: ".$row['script_requirements']."</p>
<p id='description-p'><span>Description: </span>".$row['script_description']."</p>
<code>".$row['script_code']."</code>
</div>";
}
The form I'm using to upload data looks like this:
<article id="main-article">
<h1>Add New Script</h1>
<div id="form-envelope-div">
<div id="envelope-inner-div">
<form id="script-form" action="uploadNewScript.php" method="post" enctype="multipart/form-data">
<div id="script-div">
<label class="input_label">Title: </label>
<input class="text_input" id="title-input" type="text" placeholder="Title *" name="scriptName" required>
<label class="input_label">Requirements: </label>
<textarea class="textarea_input" id="requirements-textarea" placeholder="Requirements *" rows="10" cols="30" name="scriptRequirements" required></textarea>
<label class="input_label">Description: </label>
<textarea class="textarea_input" id="description-textarea" placeholder="Description *" rows="10" cols="30" name="scriptDescription" required></textarea>
<label class="input_label">Script: </label>
<textarea class="textarea_input" id="code-textarea" placeholder="Script *" rows="10" cols="30" name="scriptCode" required></textarea>
</div>
<div id="submit-div">
<input id="button-input" type="submit" name="submit_btn" value="Upload New Property">
</div>
</form>
</div>
</div>
</article>
Here are two examples of the user input. The first example script is short and has no problem inserting into the database. Example 1:
Name: SSL CSR Requests
Requirements: PowerShell v3 and up.
Description: This uses PS to return all CSRs generated on the server as well as the Creation Date.
Code: Get-ChildItem cert:\LocalMachine\REQUEST\ | Sort-Object -Property Subject | fl Subject,#{n='Creation Date';e={$_.'geteffectivedatestring'()}}
The second example script is much more complex and will not insert at all if I use htmlentites. If I try skipping htmlentities and insert directly from $_POST, it will only insert the beginning: $source = Also, when I inserted the script directly into the database using PhpMyAdmin, I had no problems whatsoever. It even display in HTML correctly. Example 2 Code input:
$source = “C:\inetpub\logs\LogFiles\”
$destination = "E:\IISLogBackups_$(Get-Date -format M).zip"
Add-Type -assembly "system.io.compression.filesystem"
[io.compression.zipfile]::CreateFromDirectory($source, $destination)
$logs = ls –Path “C:\inetpub\logs\LogFiles\*” –Recurse | Where-Object{$_.LastWriteTime –lt (Get-Date).AddDays(-14)}
$logs | Remove-Item
After a LOT of debugging, I finally figured out how to solve my problem. For whatever reason, the $_POST variable for the textarea field was having a problem reading the hyphens in the user input. Once the input reached the $_POST variable, it was already too late to fix the problem using htmlentities or any equivalent PHP function. So, I created a JavaScript function that automatically replaces all the hyphens with the HTML entity ” before the user input is submitted. Here's what that JavaScript looks like:
document.getElementById('code-textarea').value.replace('-', '–');
Is it possible to insert an active link to an input textbox?
I tried using an <a> tag inside the value of html but its not working.
<?php $email = "example#link.com "; ?>
<input type="text" id="email" name="email" value="<?php echo $email; ?>">
It only returns the text without the hyperlink value.
A couple things are wrong here...
You're not escaping your quotes. Therefore the PHP is invalid.
You're trying to put HTML inside a attribute, which is also invalid.
The only alternative I could see being used here is an HTML element with contenteditable="true" applied. This makes it so an element (per say a <div>) can have it's content be modified.
<?php $email = "example#link.com "; ?>
<div id="fake-email" contenteditable="true"><?php echo $email; ?></div>
Then see this related question if you're doing a form.
Edit:
If you're trying to do a form, then this is one example:
document.getElementById("form").onsubmit = function(){
document.getElementById("email").value =
document.getElementById("fake-email").innerText || document.getElementById("fake-email").textContent;
}
While your form is:
<form action="..." method="..." id="form">
<div id="fake-email" contenteditable="true"></div>
<input type="hidden" id="email" name="email" />
</form>
No, it isn't possible. Input values will always be rendered as plain text. If the user doesn't need to edit the link I would just put it beside the input.
Otherwise you might want to look into WYSIWYG Editors. Links to two of the most popular below.
TinyMCE
CKEditor
You need to escape quotes when including it in your php variable.
<?php $email = "example#link.com "; ?>
You need to use a backslash when you're using double quotes.
Alternatively, you can write it as such:
<?php $email = 'example#link.com '; ?>
If you start with single quotes, then you don't need to escape the double quotes. \
I strongly suggest you read up on escaping characters when need be.
I've a column inside my table to put Html codes, I will use this table for email templating.
I have inside my page, all the templates inside my table, with two buttons, one to remove, and another one to edit.
The edit button shows the code inside a textbox, and to do the preview I did an echo to the code column.
<div class="tempcolumn">
<div><textarea name="ai" rows="15" cols="100" name="code" placeholder="Code">
<?php echo $get_temp; ?></textarea></div>
</div>
Preview
<div class="tempcolumn">
<p><?php echo $get_temp; ?></p>
<div></div>
</div>
To recognize the code and the id i created an hidden input
<input type="hidden" name="temp_id" value="'.$val['template_id'].'">
<input type="hidden" name="temp_code" value="'.$val['text'].'">
The script is working, but when i insert inside the code column some "<" or "=" doesn't work
Is inferfering because it reads the input value like this:
<input type="hidden" name="temp_id" value=" Value here + 'random character that closes the tag' ">
Is there a easier way to do that?
Thanks
You can try;
htmlspecialchars($value)
This will convert html characters to their non-interfering cousins.
See http://docs.php.net/manual/en/function.htmlspecialchars.php as I can't post the equivalents without them becoming characters.
The concept of my script is
show a textarea.
when I start giving input to
the textarea, it'll show the second
textarea.
In the same way, when I start to
input sometext in the second
textarea,
it'll show the other one and so on.
html :
<div id="question">
Question 1:<br />
<textarea rows="7" cols="72"></textarea>
</div>
javascript :
var num = 1;
$('#question').keyup(function(){
num++;
$('#question').append('
<br />Question '+num+':
<br /><textarea rows="7" cols="72">
</textarea>');
});
the problem :
when I input some word on textarea1, it shows textarea2.
but, when I input word again on textarea1, it will show a different textarea.
can any one please help me?
I don't get the idea for checking on my javascript.
Thank you
Try this, just a simple demo, http://jsfiddle.net/kCtHn/